Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

User: x is not authorized to perform: (sts:DecodeAuthorizationMessage)`

Tags:

amazon-web-services

amazon-ec2

I am facing an issue while trying to provision my EC2 instance through Terraform. However, to debug that issue I am trying to decode the encoded authorization failure message.

But when trying to call that sts decode API I am getting:

Error: A client error (AccessDenied) occurred when calling the DecodeAuthorizationMessage operation: User: xxx is not authorized to perform: (sts:DecodeAuthorizationMessage)

Now I don't know which specific permission should I give to my IAM user to be able to decode this message?

Updates:

enter image description here

like image 976
Maven Avatar asked Jul 24 '20 02:07

Maven

People also ask

Why is the authorization status message encoded?

The message is encoded because the details of the authorization status can contain privileged information that the user who requested the operation should not see.

What is the use of decode-authorization-message?

[ aws. sts] decode-authorization-message¶ Description¶ Decodes additional information about the authorization status of a request from an encoded message returned in response to an Amazon Web Services request.

What happens if a user is not authorized for an operation?

For example, if a user is not authorized to perform an operation that he or she has requested, the request returns a Client.UnauthorizedOperation response (an HTTP 403 response). Some AWS operations additionally return an encoded message that can provide details about this authorization failure.

What does a and D mean in authorization failure messages?

A: "An error occurred (UnauthorizedOperation) when calling the DeleteKeyPair operation: You are not authorized to perform this operation." D: "An error occurred (UnauthorizedOperation) when calling the AssociateIamInstanceProfile operation: You are not authorized to perform this operation. Encoded authorization failure message: ...."

1 Answers

Based on the error message quotued, it seems that sts:DecodeAuthorizationMessage permissions are required:

Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.

Subsequently you could add the following policy as an inline policy, for example, into your IAM user or its group:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowStsDecode",
            "Effect": "Allow",
            "Action": "sts:DecodeAuthorizationMessage",
            "Resource": "*"
        }
    ]
}

The same could be added through Customer Managed Policy if inline policies are not desired.

like image 81
Marcin Avatar answered Oct 13 '22 00:10

Marcin
Sign in to Comment

Related questions

AWS Athena + S3 limitation
Restrict login to Enterprise Google Domain for AWS Federated Identity Pool
Best way to copy messages within 2 SQS queues across AWS accounts
CloudWatch Event that targets SQS Queue fails to work
BOTO3 - generate_presigned_url for `put_object` return `The request signature we calculated does not match the signature you provided`
AWS API Gateway Access Private Subnet
Create an API Gateway Proxy Resource using SAM
More efficient use of aws s3 sync?
findbyIdAndUpdate not working when there is addition of records in collection
aws: EMR cluster fails "ERROR UserData: Error encountered while try to get user data" on submitting spark job
Does CloudFormation expose the Reader Endpoint of a Redis ElastiCache Replication Group?
Handling single quote in AWS Cloudwatch Logs Insights
Transfer file from AWS S3 to SFTP using Boto 3
How To Use Terraform To Create an AWS IAM Role with No Assume Role Policy?
Error creating cloudfront distribution with terraform. InvalidViewerCertificate
Login to chrome extension via website with AWS amplify
How secure is using the /tmp directory in an AWS lambda?
Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource. Terraform
Elasticsearch object mapping for tried to parse field [null] as object, but found a concrete value
CloudFormation AWS::CertificateManager::Certificate automated certificate validation

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!